Visual cryptography schemes with optimal pixel expansion

Transcription

1 Theoretical Computer Science 369 (2006) wwwelseviercom/locate/tcs Visual cryptography schemes with optimal pixel expansion Carlo Blundo a,, Stelvio Cimato b, Alfredo De Santis a a Dipartimento di Informatica ed Applicazioni, Università degli Studi di Salerno, 8408, Baronissi (SA), Italy b Dipartimento di Tecnologie dell Informazione, Università degli Studi di Milano, 2603 Crema (CR), Italy Received April 2005; received in revised form 7 June 2006; accepted 2 August 2006 Communicated by A Fiat Abstract A visual cryptography scheme encodes a black and white secret image into n shadow images called shares which are distributed to the n participants Such shares are such that only qualified subsets of participants can visually recover the secret image Usually, the reconstructed image will be darker than the background of the image itself In this paper we consider visual cryptography schemes satisfying the model introduced by Tzeng and Hu [A new approach for visual cryptography, Designs, Codes and Cryptography 27 (3) (2002) ] In such a model, the recovered secret image can be darker or lighter than the background We prove a lower bound on the pixel expansion of the scheme and, for (2,n)-threshold visual cryptography schemes, we provide schemes achieving the bound Our schemes improve on the ones proposed by Tzeng and Hu 2006 Elsevier BV All rights reserved Keywords: Visual cryptography; Pixel expansion Introduction A visual cryptography scheme for a set P of n participants is a method to encode a secret black and white image SI into n shadow images called shares, where each participant in P receives one share Certain qualified subsets of participants can visually recover the secret image, but other, forbidden, sets of participants have no information (in an information-theoretic sense) on SI A visual recovery for a set X P consists of xeroxing the shares given to the participants in X onto transparencies, and then stacking them The participants in a qualified set X will be able to see the secret image without any knowledge of cryptography and without performing any cryptographic computation This cryptographic paradigm was introduced by Naor and Shamir in their seminal paper [4] They analyzed the case of (k, n)-threshold visual cryptography schemes, in which the secret image is visible if any k or more transparencies are stacked together If fewer than k transparencies are stacked together, then the resulting image will be indistinguishable from random noise More generally, any set of k participants can analyze their collection of shares by any means, but they will obtain no information about the secret image In order to implement a visual cryptography scheme, each pixel of the original image is encoded into n version called shares, one for each transparency Each share is composed of m black and white subpixels When we superimpose two white subpixels we obtain a white subpixel; while superimposing one black subpixel to any other subpixel, we get a Corresponding author Tel: ; fax: address: carblu@diaunisait (C Blundo) /$ - see front matter 2006 Elsevier BV All rights reserved doi:006/jtcs

2 70 C Blundo et al / Theoretical Computer Science 369 (2006) Fig The original image and the shares of a (2, 3)-threshold VCS Fig 2 Images reconstructed by participants and 2 and and 3, respectively black subpixel Thus, the grey level of the combined share obtained by stacking some transparencies is proportional to the number of black subpixels appearing in it This grey level is interpreted by the visual system of the users as black or as white in accordance with some rule of contrast In the model introduced by Naor and Shamir, the grey level of a reconstructed black pixel will be greater than the grey level of a reconstructed white one In other words, the reconstructed image will be darker than the background of the image itself In this paper, we consider visual cryptography schemes satisfying the model introduced by Tzeng and Hu in [5] In such a model, the recovered secret image can be darker or lighter than the background The best way to understand such a new model is by resorting to an example We want to realize a (2, 3)-threshold visual cryptography schemes Hence, there are three participants, that is P ={, 2, 3}, and any two of them can recover the secret image We want to encode the secret image TCS For this example, the visual cryptography scheme satisfying the model in [5] is described in () The original image and the three shares generated are as depicted in Fig Three of them look like random patterns and, indeed, no individual share provides any information, even to an infinitely powerful computer, on the original image If we superimpose the transparencies associated to participants and 2 and to participants and 3, respectively, we get the result given in Fig 2 In this paper, we restrict our attention to (2,n)-threshold visual cryptography schemes We prove a lower bound on the pixel expansion of the scheme and we provide visual cryptography schemes achieving the bound Our schemes improve, with respect to the pixel expansion, on the ones presented in [5] 2 Model and notation Let P ={,,n} be a set of elements called participants, and let 2 P denote the set of all subsets of P Let Γ Qual 2 P and Γ Forb 2 P, where Γ Qual Γ Forb = We refer to members of Γ Qual as qualified sets and we call members of Γ Forb forbidden sets The pair (Γ Qual, Γ Forb ) is called the access structure of the scheme Define Γ 0 to consist of all the minimal qualified sets: Γ 0 ={A Γ Qual : A / Γ Qual for all A A} A qualified set X that does not belong to Γ 0, ie, X Γ Qual \Γ 0 is referred to as not-minimal qualified set A (k, n)-threshold VCS is a visual cryptography scheme for the access structure with basis Γ 0 ={B P : B =k} We assume that the image consists of a collection of black and white pixels Each pixel appears in n versions called shares, one for each transparency Each share is a collection of m black and white subpixels The resulting structure can

3 C Blundo et al / Theoretical Computer Science 369 (2006) be described by an n m Boolean matrix S =[s ij ] where s ij = iff the jth subpixel in the ith transparency is black Therefore, the grey level of the combined share, obtained by stacking the transparencies i,,i s, is proportional to the Hamming weight w(v ) of the m-vector V = OR(r i,,r is ) where r i,,r is are the rows of S associated with the transparencies we stack This grey level is interpreted by the visual system of the users as black or as white in according with some rule of contrast The conventional definition [] for visual cryptography schemes is as follows Definition 2 Let (Γ Qual, Γ Forb ) be an access structure on a set of n participants Two collections (multisets) of n m boolean matrices C 0 and C constitute a visual cryptography scheme (Γ Qual, Γ Forb,m)-VCS if there exist the value α(m) and the set {(X, t X )} X ΓQual satisfying: Any (qualified) set X ={i,i 2,,i p } Γ Qual can recover the shared image by stacking their transparencies Formally, for any M C 0, the or V of rows i,i 2,,i p satisfies w(v ) t X α(m) m; whereas, for any M C it results that w(v ) t X 2 Any (forbidden) set X ={i,i 2,,i p } Γ Forb has no information on the shared image Formally, the two collections of p m matrices D t, with t {0, }, obtained by restricting each n m matrix in C t to rows i,i 2,,i p, are indistinguishable in the sense that they contain the same matrices with the same frequencies The first property is related to the contrast of the image It states that when a qualified set of users stack their transparencies they can correctly recover the shared image (ie, the revealed image is darker than the background, in other words, the grey level of a reconstructed black pixel is bigger than the grey level of a reconstructed with pixel) The value α(m) is called relative difference, the number α(m) m is referred to as the contrast of the image, the set {(X, t X )} X ΓQual is called the set of thresholds, and t X is the threshold associated to X Γ Qual We want the contrast to be as large as possible and at least one, that is, α(m) m The second property is called security, since it implies that, even by inspecting all their shares, a forbidden set of participants cannot gain any information in deciding whether the shared pixel was white or black In the following we recall the definition of visual cryptography scheme provided in [5] The main difference between the such definition of VCS and the traditional one is that the property of contrast of the reconstructed image is changed as the revealed image can be darker or lighter than the background (ie, some qualified sets recover the original image, while other qualified sets recover the negative of the image itself) Moreover, as also done in [5], we assume that only the sets in Γ 0 can recover the shared image by stacking their transparencies If a set X is a not-minimal qualified (ie, it belongs to Γ Qual \Γ 0 ), then we assume that the participants in X, stacking their transparencies, cannot distinguish a white pixel from a black one This is formalized by the next definition [5] Definition 22 Let (Γ Qual, Γ Forb ) be an access structure on a set of n participants Two collections (multisets) of n m boolean matrices C 0 and C constitute a visual cryptography scheme (Γ Qual, Γ Forb,m)-VCS if there exist the value α(m) and the set {(X, t X )} X ΓQual satisfying: Any minimal qualified set X ={i,i 2,,i p } Γ 0 can recover the shared image by stacking their transparencies Formally, for any M C 0, the or V of rows i,i 2,,i p satisfies w(v ) = t X ; whereas, either, for any M C, it results that w(v ) t X + α(m) m or, for any M C, it results that w(v ) t X α(m) m 2 Any (forbidden) set X ={i,i 2,,i p } Γ Forb has no information on the shared image Formally, the two collections of p m matrices D t, with t {0, }, obtained by restricting each n m matrix in C t to rows i,i 2,,i p, are indistinguishable in the sense that they contain the same matrices with the same frequencies 3 Any not-minimal qualified set X ={i,i 2,,i p } Γ Qual \Γ 0, by stacking their transparencies, has no information on the shared image Formally, the two collections of m vectors V t, with t {0, }, obtained by OR-ing the rows i,i 2,,i p of each matrix in C t are indistinguishable in the sense that they contain the same vectors with the same frequencies We see that Condition of Definitions 2 and 22 is different According to Definition 2, the revealed image is darker than the background; while, according to Definition 22, the revealed image can be darker or lighter than the background Moreover, in this model we rule out the possibility that by stacking all the transparencies of the participants in X Γ Qual \Γ 0, some information about the secret image is revealed However, notice that, if a set of participants

4 72 C Blundo et al / Theoretical Computer Science 369 (2006) X is a superset of a minimal qualified set X and they know the form of the access structure (Γ Qual, Γ Forb ), then they can recover the shared image by considering only the shares of the set X Moreover, when the participants in X do not know the access structure they belong to, they can always recover the original image Indeed, by inspecting their transparencies all together, they can distinguish whether the shares come from a matrix in C 0 or a matrix in C In view of the above observations, we make few considerations about the structure of Γ Qual and Γ Forb It is clear that any subset of a forbidden subset is forbidden, so Γ Forb is necessarily monotone decreasing Hence, no superset of a qualified subset is forbidden Finally, wlog, we can assume that Γ Qual is monotone increasing that is Γ Qual ={C P : B C for some B Γ 0 }, and we say that Γ Qual is the closure of Γ 0 All constructions in this paper are realized using two n m matrices, S 0 and S, called basis matrices satisfying the following definition Definition 23 Let (Γ Qual, Γ Forb ) be an access structure on a set of n participants A (Γ Qual, Γ Forb,m)-VCS with relative difference α(m) and set of thresholds {(X, t X )} X ΓQual is realized using the two n m basis matrices S 0 and S if the following two conditions hold If X ={i,i 2,,i p } Γ 0 (ie, if X is a minimal qualified set), then the or V of rows i,i 2,,i p of S 0 satisfies w(v ) = t X ; whereas, for S it results that either w(v ) t X + α(m) m or w(v ) t X α(m) m 2 If X ={i,i 2,,i p } Γ Forb (ie, if X is a forbidden set), then the two p m matrices obtained by restricting S 0 and S to rows i,i 2,,i p are equal up to a columns permutation 3 If X ={i,i 2,,i p } Γ Qual \Γ 0, (ie, X is a qualified set which is not minimal), then the two m vectors V 0 and V, obtained by OR-ing the rows i,i 2,,i p of S 0 and S, respectively, have the same Hamming weight, that is, w(v 0 ) = w(v ) The collections C 0 and C are obtained by permuting the columns of the corresponding basis matrix (S 0 for C 0, and S for C ) in all possible ways A visual cryptography scheme (Γ Qual, Γ Forb,m)-VCS which is optimal with respect to the pixel expansion m will be referred to as an expansion-optimal VCS 3 The Structure of VCS Before providing some useful properties of VCS, we need to set up our notation Let M be a n m binary matrix For X {,,n}, let M X denote the m-vector obtained by considering the or of the rows corresponding to the indices in X; whereas M[X] denotes the X m matrix obtained from M by considering only the rows corresponding to the indices in XIfX ={r}, then instead of using M[{r}] to denote the row r of M we will use the shortened notation M[r] For any binary vector V, with w(v ) we denote the number of zeroes in V (ie, the complement of the Hamming weight) By abusing of notation, given two matrices A and B having the same number of rows, with A B = we denote the fact that the same column does not appear in both matrices In this case, the matrices A and B are referred as non-redundant matrices Finally, with A B we denote the matrix obtained by concatenating the matrices A and B We restrict our attention to (Γ Qual, Γ Forb,m)-VCS realized by non-redundant basis matrices S 0 and S In this case, if the access structure is not an (n, n)-threshold access structures, we will prove that Condition 3 of Definition 23 reduces to w(s 0 X ) = w(s X ) = m, for any X Γ Qual\Γ 0 We will also prove that the matrix S = S 0 S has to contain some predefined sub-matrices The columns of such sub-matrices are referred to as unavoidable patterns Theorem 3 In any (Γ Qual, Γ Forb,m)-VCS realized by the non-redundant basis matrices S 0 and S, for any X Γ Qual \Γ 0, it holds that w(s 0 X ) = w(s X ) = m Proof We will prove the theorem by contradiction by showing that if some set X Γ Qual \Γ 0 does not satisfy w(s 0 X ) = w(s X ) = m, then S0 S = We will consider the sets in Γ Qual \Γ 0 in non-increasing order by size Let P ={,,n} be the set of n participants the access structure (Γ Qual, Γ Forb ) is realized on For i n, let Q(i) be

5 C Blundo et al / Theoretical Computer Science 369 (2006) the family of all qualified sets of size i which are not minimal, ie, Q(i) ={X Γ Qual \Γ 0 : X =i} Since we are considering Γ Qual monotone increasing, it results that if X Q(i), then X {j} Q(i + ) for any j P\X Let X Q(n) (notice that there is only one set in Q(n) as we do not consider (n, n)-threshold access structures) and let Σ be a VCS for (Γ Qual, Γ Forb ) such that S 0 S = and w(sx 0 ) = w(s X ) = m X <m In this case, there exist m m X columns both in S 0 and S whose entries are all equal to zero This implies that S 0 S = which contradicts the hypothesis Hence, in the scheme Σ we have that w(sx 0 ) = w(s X ) = m, for X Q(n) If Q(n ) =, then there do not exist qualified sets X Γ Qual \Γ 0 of cardinality n Therefore, there is nothing to prove If Q(n ) =, then, consider any set X Q(n ) and assume that w(sx 0 ) = w(s X ) = m X <m In this case, there exist m m X columns both in S 0 [X] and S [X] whose entries are equal to zero For the sake of simplicity, assume these are the first m m X columns of both S 0 [X] and S [X] Let {i} =P\X Since for Y ={i} X Q(n) we proved that w(sy 0 ) = w(s Y ) = m, it must be the case that S0 [i, ] = = S 0 [i, m m X ] = and that S [i, ] = = S [i, m m X ] = Therefore, the first m m X columns of both S 0 and S are equal This implies that S 0 S = which contradicts the hypothesis of the theorem Hence, in the scheme Σ we have that w(sx 0 ) = w(s X ) = m, for any X Q(n ), too In general, if for some value q, we have that Q(n q) = and that w(sx 0 ) = w(s X ) = m for any X Q(n q +), then we can proceed as follows Consider any set X Q(n q) and assume that w(sx 0 ) = w(s X ) = m X <m In this case, there exist m m X columns both in S 0 [X] and S [X] whose entries are equal to zero For the sake of simplicity assume these are the first m m X columns of both S 0 [X] and S [X] Since, for any i P\X, it holds that w(sy 0 ) = w(s Y ) = m, where Y ={i} X Q(n q + ), then S0 [i, j] =S [i, j] =, for j m m X and i P\X Therefore, the first m m X columns of both S 0 and S are equal as they contain a zero in position j X and a one in position i P\X This implies that S 0 S = which contradicts the hypothesis of the theorem Thus, we can conclude that for any X Γ Qual \Γ 0, it holds that w(sx 0 ) = w(s X ) = m and the theorem is proved The next corollary is a consequence of the above theorem Corollary 32 For any (k, n)-threshold VCS realized by the non-redundant basis matrices S 0 and S, there is no column in S 0 S of weight less than n k Proof Let S = S 0 S According to Theorem 3, for any X Γ Qual \Γ 0, it holds that w(s X ) = 2m Suppose by contradiction that there is a column in S 0 S of weight t<n k This implies that in such a column there are n t >k entries, say the first n t, all equal to zero Hence, w(s X ) = 2m, where X ={,,n t} This contradicts w(s X ) = 2m, for any X Γ Qual \Γ 0 Thus, the corollary holds The next lemma states that if there exists a VCS having basis matrices S 0 and S such that S 0 S =, then we can always construct a new VCS with non-redundant basis matrices Ŝ 0 and Ŝ Lemma 33 If Σ is a (Γ Qual, Γ Forb,m)-VCS having contrast α(m) realized by basis matrices S 0 and S such that S 0 S =, then there exists a (Γ Qual, Γ Forb, m)-vcs having contrast α( m) = α(m) m/ m realized by non-redundant basis matrices Proof Let R = S 0 S, then the basis matrices S 0 and S are equal, up to a column permutation, to the matrices Ŝ 0 R and Ŝ R, respectively Assume that the matrix Ŝ b, for b = 0,, has dimension n m We will prove that the matrices Ŝ 0 and Ŝ satisfy Definition 23 For any X Γ 0 by Condition of Definition 23, we have that w(s 0 X ) = w(ŝ0 X ) + w(r X) = t X and either w(s X ) = w(ŝ X ) + w(r X) t X + α(m) m or w(s X ) = w(ŝ X ) + w(r X) t X α(m) m Setting t X = t X w(r X ) and α( m) = α(m) m/ m we have that w(ŝ 0 X ) = t X and either w(ŝ X ) t X + α( m) m or w(ŝ X ) t X α( m) m Therefore, the matrices Ŝ 0 and Ŝ satisfy Condition of Definition 23 For any X Γ Forb, Condition 2 of Definition 23 states that S 0 [X] is equal, up to a column permutation, to S [X] Therefore, the matrices Ŝ 0 [X] and Ŝ [X] are equal, up to a column permutation, too Hence, the matrices Ŝ 0 and Ŝ satisfy Condition 2 of Definition 23

6 74 C Blundo et al / Theoretical Computer Science 369 (2006) Finally, for any X Γ Qual \Γ 0, Condition 2 of Definition 23 states that w(sx 0 ) = w(s X ) Since w(s0 X ) = w(ŝ0 X ) + w(r X ) and w(sx ) = w(ŝ X ) + w(r X), we get that w(ŝx 0 ) = w(ŝ X ) Therefore, the matrices Ŝ0 and Ŝ satisfy Condition 3 of Definition 23 Thus, the lemma holds In the following theorem we will prove that the matrices S 0 and S have to contain some predefined patterns which we call unavoidable patterns More precisely, for any VCS the matrix S 0 S has to contain some fixed columns determined by Γ 0 Theorem 34 In any (Γ Qual, Γ Forb,m)-VCS realized by the basis matrices S 0 and S, for any X ={i,i 2,,i p } Γ 0, either S 0 or S contains at least α(m) m columns with a 0 in the rows {i,i 2,,i p } and s in the other rows Proof Assume that the VCS is realized by non-redundant basis matrices S 0 and S If this is not the case, then, by applying Lemma 33, we can construct a new VCS whose basis matrices have empty intersection and whose pixel expansion m and contrast α( m) satisfy α( m) m = α(m) m Consider any set of participants X ={i,i 2,,i p } Γ 0 From Condition of Definition 22, we have that w(sx 0 ) = t X and that either w(sx ) t X + α(m) m or w(sx ) t X α(m) m Assuming that w(sx ) t X + α(m) m, wegetw(sx ) w(s0 X ) α(m) m Therefore, the matrix S 0 [X] must contain at least α(m) m columns with all entries equal to zero Moreover, by Theorem 3, we have that w(sy 0 ) = w(s Y ) = m, for any Y such that X Y Therefore, the matrix S0 contains at least α(m) m columns with a 0 in the rows {i,i 2,,i p } and s in the other rows We can apply the same reasoning as above when w(sx ) t X α(m) m, proving that the matrix S contains at least α(m) m columns with a 0 in the rows {i,i 2,,i p } and s in the other rows Thus, the theorem is proved From the above theorem, one can easily get that in any visual cryptography scheme realized by non-redundant basis matrices (ie, S 0 S = ), the number of columns of S 0 S is at least Γ 0 α(m) m Therefore, since α(m) m and m has to be an integer value, we can immediately get a bound on the pixel expansion for any (Γ Qual, Γ Forb,m)-VCS as stated by the next theorem Theorem 35 In any (Γ Qual, Γ Forb,m)-VCS realized by basis matrices, the pixel expansion satisfies m Γ 0 /2 We give the following two examples to illustrate the definition of unavoidable patterns and the use of Theorem 35, when P ={, 2, 3, 4} Example 3 Define Γ 0 ={{, 2}, {2, 3}, {3, 4}} The unavoidable patterns are: The following basis matrices S 0 and S realize a VCS for Γ S 0 = 0 0, S = The unavoidable patterns

7 belongs to S 0, while, the unavoidable pattern 0 0 belongs to S In this scheme, m = 3 and α(m) = 3 C Blundo et al / Theoretical Computer Science 369 (2006) Example 32 Define Γ 0 ={{, 2}, {2, 3}, {3, 4}, {, 4}} The unavoidable patterns are: The basis matrices S 0 and S realizing a VCS for Γ 0 are as follows: 0 0 S 0 = 0 0, S = In this scheme, m = 2 and α(m) = 2 According to Theorem 35 the VCS realized by S0 and S is optimal with respect to the pixel expansion Recall that a (k, n)-threshold VCS is a visual cryptography scheme for the access structure with basis Γ 0 ={B P : B =k} In [4] Naor and Shamir proved that for any (n, n)-threshold VCS the pixel expansion satisfies m 2 n The structure of basis matrices (n, n)-threshold VCS was completely characterized in [3] The proof of Theorem 7 in [3] can easily be modified in order to prove that for any (n, n)-threshold VCS satisfying Definition 23 the pixel expansion is lower bounded by 2 n, too In the case of (k, n)-threshold access structures, with k<n, the next corollary provides a bound on m Corollary 36 In any (k, n)-threshold VCS, with 2 k <n, realized by basis matrices, the pixel expansion satisfies m ( ) n /2 k In the next section, we will see that above bound is tight for (2,n)-threshold VCS when n mod 4 For the other cases, we will provide stronger bounds 4 Optimal (2,n)-threshold VCS In this section, we will prove a bound on the pixel expansion of (2,n)-threshold VCS, with n>2, realized by basis matrices We will show that such bound is tight by presenting (2,n)-threshold VCS meeting it 4 The bound In this section, we prove a lower bound on the pixel expansion stronger than the one provided by Corollary 36 when n is even or n 3 mod 4

8 76 C Blundo et al / Theoretical Computer Science 369 (2006) Theorem 4 In any (2,n)-threshold VCS, with n>2, constructed using basis matrices the pixel expansion satisfies n 2 4 n(n ) m 4 n 2 n if n 0 mod 2, if n mod 4, if n 3 mod 4 Proof Assume that n is even and let Σ be a (2,n)-threshold VCS constructed using the basis matrices S 0 and S Let S be the binary matrix equal to S = S 0 S Because of Condition 2 of Definition 23, it results that both the number of zeroes and the number of ones in any row of S is even According to Corollary 32, all columns in S have weight at least n 2 Moreover, from Theorem 34, all the ( n 2 ) distinct columns of weight n 2 (ie, the unavoidable patterns) have to appear in S Therefore, S is equal, up to a columns permutation to the matrix A B, where A is a n ( n 2 ) matrix composed by all the distinct unavoidable patterns and B is some binary matrix whose columns have weight at least n 2 Notice that, for r n, we have that the number of zeroes in A[r] is equal to n, which is odd This means that, for r n, the matrix B must contain at least a column whose rth entry is equal to zero Since all B s columns have weight at least n 2, to have that in any row of A B there is an even number of zeroes, it results that the number of columns in B should be at least n/2 Therefore, the number of columns in S is at least n(n )/2 + n/2 = n 2 /2 Hence, m n2 4 Thus, the theorem is proved for n even If n mod 4, then we can apply directly Corollary 36 So we are left with proving that the last inequality holds Consider n 3 mod 4 and let Σ be a (2,n)-threshold VCS realized by the basis matrices S 0 and S By Corollary 36, the pixel expansion is lower bounded by n(n )/4 =(n 2 n + 2)/4 We will prove that there does not exist a VCS with pixel expansion equal to (n 2 n + 2)/4 Therefore, m should be at least (n 2 n + 2)/4 + = (n 2 n + 6)/4 and the theorem is proved Assume by contradiction that Σ has pixel expansion equal to m = (n 2 n + 2)/4 According to Theorem 34, each of the ( n 2 ) columns of weight n 2 has to appear either in S0 or in S Therefore, since ( n 2 ) = 2m, one matrix, say S 0, will contain m = (n 2 n 2)/4 of such columns; while, S will comprise the others m = (n 2 n + 2)/4 Let U 0 the sub-matrix of S 0 composed of only m distinct unavoidable patterns Now, we prove that there exists at least an index j, with j n, such that w(u 0 [j]) (n 3)/2 Assume by contradiction that w(u 0 [i]) (n )/2 for all i with i n Then, we have that the total number of zeroes in U 0 is at least n(n )/2 which is a contradiction as, by construction, the total number of zeroes in U 0 is 2(m ) = (n 2 n 2)/2 Hence, there exists an index j, with j n, such w(u 0 [j]) (n 3)/2 Since any row of U 0 S (the matrix of all unavoidable patterns) contains n zeroes, then, for the index j, we have that w(u 0 [j]) n 3 2 and w(s [j]) n n 3 2 = n + 2 Since w(s [j]) w(u 0 [j]) 2 and the matrix S 0 has just one more column besides the columns in U 0, there does not exist a (2,n)-threshold VCS realized by the basis matrices S 0 and S with pixel expansion equal to (n 2 n + 2)/4 Hence, m n2 n Thus, the theorem holds

9 C Blundo et al / Theoretical Computer Science 369 (2006) Constructions In this section, we provide some constructions for (2,n)-threshold VCS Such constructions are optimal with respect to the pixel expansion as they meet the bound of Theorem 4 We will consider four cases according to the congruency classes of n modulo four For each class we will provide the basis matrices realizing the (2,n)-threshold VCS, but we will prove that such basis matrices are indeed basis matrices of a (2,n)-threshold VCS only for the case n 0 mod 4 The other cases can be handled in a similar way and the interested reader can find all the proofs in [2] In order to present constructions for (2,n)-threshold VCSs, we need to set up our notation If c {0, } n (ie, c is a binary vector of length n), then by c(i) we denote the ith entry of c, where i n Moreover, we denote by c i,j {0, } n the binary column such that w(c i,j ) = n 2 and c(i) = c(j) = 0 Let I be set such that I {,,n} 2 We denote by M(I) the binary matrix induced by the set of pairs belonging to I, that is M(I) is formed by the columns c i,j with (i, j) I Since, for our construction, the order in which the pairs in I are chosen is immaterial, then the matrix M(I) is one of the I! matrices that can be constructed considering, in any order, the pairs belonging to I Finally, with UP(2,n)we denote an n ( n 2 ) binary matrix containing all unavoidable patterns for a (2,n)-threshold VCS (ie, UP(2,n)contains all the columns of weight n 2) The case n 0 mod 4: To define the basis matrices of a (2,n)-threshold VCS, we will divide the columns of UP(2,n) in two matrices The first matrix will contain n 2 /4 distinct unavoidable patterns The second matrix will contain all the n(n )/2 n 2 /4 remaining patters and the duplication of n/2 of them Define the sets I, I 2, and I 3 as follows: I ={(i, j) : i n/2 and (n + 2)/2 j n}, I 2 ={(i, j), (i + n/2,j + n/2) : i <j n/2}, I 3 ={(i, i + ) : i = 2p with p n/2} We construct the matrices S 0 and S as depicted in Fig 3 We now illustrate the realization of the basis matrices of a (2,n)-threshold VCS for n 0 mod 4, by considering an example of the construction depicted in Fig 3 Example 4 For n = 8, the matrices induced by the sets I, I 2 and I 3 are as follows: M(I ) = , M(I 2 ) = , M(I 3 ) = Fig 3 Basis Matrices of a (2,n)-threshold VCS for n 0 mod 4

10 78 C Blundo et al / Theoretical Computer Science 369 (2006) Therefore, the matrix S 0 and S generated by the construction depicted in Fig 3 are: S 0 = , S = In this scheme, m = 6 and α(m) = 6 In the next theorem we prove that the matrices S 0 and S defined by the scheme in Fig 3 realize a (2,n)-threshold VCS for n 0 mod 4 According to Theorem 4, the scheme is optimal with respect to the pixel expansion Theorem 42 The matrices S 0 and S defined by the scheme in Fig 3 realize an expansion-optimal (2,n)-threshold VCS for n 0 mod 4 Proof It is immediate to see that both matrices S 0 and S defined by the scheme in Fig 3 have n rows The number of columns of S 0 is equal to I =n 2 /4; while, the number of columns of S is equal to I 2 + I 3 =n(n 2)/4 + n/2 = n 2 /4 Hence, S 0 and S have the same dimensions n and m = S 0 = S To prove that Condition of Definition 23 is satisfied, notice that I and I 2 partition the set {(i, j) : i n, j n, and i = j} and that I 3 I 2 According to the construction in Fig 3, for any set X ={i, j}, we have that w(s 0 X ) = { n 2 /4 if(i, j) I, n 2 /4 if(i, j) I 2 and n 2 /4 if(i, j) I, w(sx ) = n 2 /4 if(i, j) I 2 \I 3, n 2 /4 2 if(i, j) I 3 Therefore, Condition of Definition 23 is satisfied To prove that Condition 2 of Definition 23 holds, we will prove that, for any r n, it holds that w(s 0 [r]) = w(s [r]) It is immediate to see that for any r n there are n/2 zeroes in S 0 [r] Hence, w(s 0 [r]) = n/2 The matrix S is equal to M(I 2 ) M(I 3 ) Hence, w(s [r]) = w(m(i 2 )[r]) + w(m(i 3 )[r]) = (n/2 ) + = n/2 Thus, for r n we have that w(s 0 [r]) = w(s [r]) and Condition 2 of Definition 23 is satisfied Finally, notice that since all columns of both S 0 and S have weight n 2, then, for any set X of participants of size at least three, it holds that w(sx 0 ) = w(s X ) = m Hence, Condition 3 of Definition 23 is satisfied, too Thus, the matrices S 0 and S defined by the scheme in Fig 3 realize a (2,n)-threshold VCS with pixel expansion equal to n 2 /4 According to Theorem 4, such pixel expansion is the smallest achievable and the theorem is proved The case n mod 4 Notice that, when n mod 4, the matrix UP(2,n) has an even number of columns and that the number of zeroes in any row of UP(2,n)is also even and it is equal to n To define the basis matrices of a (2,n)-threshold VCS, we will partition the columns of UP(2,n)into two matrices in such a way that such matrices have the same number of columns and each row has (n )/2 entries equal to zero Define the sets I, I 2, I 3, and I 4 as follows: I ={(i, j) : i <j n}, I 2 ={(i, j) : 2 i (n + )/2 and (n + 3)/2 j n},

11 C Blundo et al / Theoretical Computer Science 369 (2006) Fig 4 Basis matrices of a (2,n)-threshold VCS for n mod 4 I 3 ={(, j), (,j + (n )/2) : 2 j (n + 3)/4}, I 4 ={(i, i + (n )/2) : 2 i (n + 3)/4} Notice that the set M(I ) = UP(2,n) We construct the matrices S 0 and S as depicted in Fig 4 We now illustrate the realization of the basis matrices of a (2,n)-threshold VCS for n mod 4, by considering an example of the construction depicted in Fig 4 Example 42 For n = 9, the matrices induced by the sets I 2, I 3 and I 4 are as follows: M(I 2 ) = 0000, M(I 3 ) =, M(I 4 ) = Therefore, the matrix S 0 and S generated by the above construction are: S = 0000, S 0000 = In this scheme, m = 8 and α(m) = 8 The case n 2 mod 4 The (2, 2)-threshold VCS described by Naor and Shamir [4] satisfies Definition 23 and it is an expansion-optimal VCS For completeness, we report the basis matrices realizing it: [ ] [ ] S 0 0 =, S 0 = 0 0 For n 2 mod 4, n>2, our construction is based on the technique used to realize the (2,n)-threshold VCS for n 0 mod 4 To define the basis matrices of a (2,n)-threshold VCS, we will divide the columns of UP(2,n) in two matrices The first matrix will contain n 2 /4 distinct unavoidable patterns The second matrix will contain all the

12 80 C Blundo et al / Theoretical Computer Science 369 (2006) Fig 5 Basis matrices of a (2,n)-threshold VCS for n 2 mod 4, n>2 n(n )/2 n 2 /4 remaining patterns and the duplication of n/2 of them For n 2 mod 4 and n>2, define the set I, I 2, I 3, I 4 and I 5 as follows: I ={(i, j) : i n/2 and (n + 2)/2 j n}, I 2 ={(i, j), (i + n/2,j + n/2) : i <j n/2}, I 3 ={(i, i + n/2) : i n/2}, I 4 ={(i, i + n/2 + ) : i n/2 } {(n/2,n/2 + )}, I 5 ={(i, i + ), (i + n/2,i+ + n/2) : i n/2 } {(,n/2), (n/2 +,n)} Setting I 6 = I 3, we can construct the matrices S 0 and S as depicted in Fig 5 We now illustrate the realization of the basis matrices of a (2,n)-threshold VCS for n 2 mod 4 and n>2, by considering an example of the construction depicted in Fig 5 Example 43 For n = 6, the matrices induced by the sets I,,I 6 are as follows: M(I ) = , M(I 2 ) = 00 00, M(I 3 ) = 0 0, M(I 4 ) = 0 0, M(I 5 ) = 00 00, M(I 6 ) = Therefore, the matrix S 0 and S generated by the above construction are: S 0 = , S = In this scheme, m = 9 and α(m) = 9

13 C Blundo et al / Theoretical Computer Science 369 (2006) Fig 6 Basis matrices of a (2,n)-threshold VCS for n 3 mod 4, n>3 The case n 3 mod 4 An expansion-optimal (2, 3)-threshold VCS is described by the following basis matrices 0 0 S 0 = 00, S = 00 () 0 0 To define the basis matrices of a (2,n)-threshold VCS for n 3 mod 4 and n>3, we will use the matrices induced by the following sets: I ={(i, j) : i <j n}, I 2 ={(i, j) : 2 i (n + )/2 and (n + 3)/2 j n}, I 3 ={(i, i + (n )/2) : 2 i (n + )/4}, I 4 ={(, 2), (,(n+ 3)/2)}, I 5 ={(2,(n+ 3)/2)}, I 6 ={(, i), (,i+ (n )/2) : 2 i (n + )/4} We construct the basis matrices S 0 and S of a (2,n)-threshold VCS for n 3 mod 4 and n>3 as depicted in Fig 6 We now illustrate the realization of the basis matrices of a (2,n)-threshold VCS for n 2 mod 4 and n>3, by considering an example of the construction depicted in Fig 6 Example 44 For n = 7, the matrix induced by the set I is UP(2,n); while, the matrices induced by the sets I 2,,I 6 are as follows: M(I 2 ) = 000, M(I 3 ) =, M(I 4 ) =, M(I 5 ) =, M(I 6 ) = Therefore, the matrix S 0 and S generated by the above construction are: S = 000, S 000 = In this scheme, m = 2 and α(m) = 2

14 82 C Blundo et al / Theoretical Computer Science 369 (2006) Comparison: We have seen that, in order to implement a visual cryptography scheme, each pixel of the secret image is subdivided into m subpixels Hence, there is a loss of resolution proportional to m Therefore, schemes with smaller pixel expansion are better In [5] the authors described a (2,n)-threshold visual cryptography scheme having pixel expansion m such that (n )(n + 3) if n is odd, m = 4 n(n + 2) if n is even 4 It is immediate to see that the pixel expansion of the schemes presented in this paper is smaller Hence, our schemes are better Another important measure to measure the goodness of a visual cryptography scheme is the relative difference Schemes with higher relative difference are better Since, the relative difference of our schemes and of the ones proposed in [5] is equal to /m, then our schemes improves on the relative difference, too References [] G Ateniese, C Blundo, A De Santis, DR Stinson, Visual cryptography for general access structures, Inform and Comput 29 (2) (996) [2] C Blundo, S Cimato, A De Santis, Visual cryptography schemes with optimal pixel expansion, in Cryptology eprint Archive, Report 2006/70, 2006, [3] C Blundo, A De Santis, DR Stinson, On the contrast in visual cryptography schemes, J Cryptology 2 (999) [4] M Naor, A Shamir, Visual cryptography, in: A De Santis (Ed), Advances in Cryptology Eurocrypt 94, Lecture Notes in Computer Science, Vol 950, Springer, Berlin, 995, pp 2 [5] W-G Tzeng, C-M Hu, A new approach for visual cryptography, Designs Codes and Cryptography 27 (3) (2002)